The Federal Trade Commission (FTC) this week released its report on consumer privacy for businesses. The report does not have the force of law, but calls for businesses to voluntarily adopt best practices around consumer privacy.

The report is complex, but outlines 3 areas of best practices for businesses to follow:

Privacy by design – According to the FTC, firms should build privacy protection into every aspect of their business operations. This includes limiting the amount of data collected from consumers, maintaining data security, making sure data is accurate, and having sound retention practices.

Simplified consumer choice – Companies should give consumers more choice about keeping their data private, and to make it easy to choose to keep data private, including a Do Not Track mechanism to give consumers control over information collected about them as they surf the web and use mobile devices. The FTC report lauds browser vendors Microsoft, Mozilla Firefox and Apple for equipping their latest browsers with features that allow users to say “hands-off” to trackers.

The reports also commended the advertising industry for taking action, noting the Digital Advertising Alliance, a self-regulating body for online behavioral advertisers. You’ve probably seen the triangular-shaped icons on some ads (see above). Clicking the icon gets you to information about how the ad reached you. Most importantly, it gives you a way to opt-out of behavioral advertising that tracks your interests and attempts to predict your preferences to show relevant ads.

Greater transparency – The report calls for companies to make their information collection and use practices transparent. Included is a recommendation that firms provide consumers with “reasonable access” to the data collected about them. Privacy notices should be shorter, clearer and standardized so that consumers can understand them better.

What the FTC Framework Applies To

The FTC’s framework applies to online and offline data, both. It applies to data that is “reasonably linkable” to a specific consumer, computer or device.

It applies to businesses of all sizes that handle consumer data. But it does have what might be considered a small business exception: businesses that collect non-sensitive information from fewer than 5,000 consumers each year, and do not sell the information to third-party marketers. For example, the privacy framework would not apply to independent retailers that use emails to keep fewer than 5,000 customers informed about special sales.

Although the FTC’s report does not have the power of law, it is a good collection of common-sense privacy protection practices along with evolving industry practices. And for businesses, it gives you a sense of which way the winds are blowing around consumer privacy issues.